Do Not Track Update: From Congressional Hearings to Uproar Over Microsoft’s "Default" Settings, the Fight for User Privacy Continues

This is part one of a two part series on current updates in Do Not Track. Part two will explore issues around default settings in more depth.

As summer wanes, EFF and other digital rights advocates are continuing to fight for Do Not Track, a one-click browser-based signal users can turn on to tell websites not to track their online browsing habits. In this article, we’ll be reviewing recent Congressional hearings about online tracking and discussing a Do Not Track proposal being promoted by EFF, Stanford, and Mozilla.

Congress Hears from Privacy Experts

In June, the House Subcommittee on Intellectual Property, Competition and the Internet held a hearing on how the technology industry can implement privacy protections that inform and protect consumers. New York Law School Prof. James Grimmelmann discussed Do Not Track and articulated (PDF) three principles that are necessary to achieve genuine consumer choice:

Usability—privacy interfaces must be clear and clearly disclosed.

Reliability—a consumer who has expressed a choice is entitled to expect that it will be honored.

Innovation for privacy—a privacy policy should encourage the development of these technologies, and protect them from interference.

Later in June, the Senate Commerce Committee heard testimony from Ohio State University Law School Prof. Peter Swire. Swire was critical of current online behavioral advertising industry self-regulation, noting that while “the 2011 DAA [Digital Advertising Alliance] principles have a section called ‘Limitations on the Collection of Multi-Site Data'….As drafted, it is difficult to see what limitations on collection could be enforced given the breadth of the exceptions.” Read Swire's testimony (PDF).

If nothing else, this testimony ensures that lawmakers are hearing from privacy advocates about the problem with today’s ecosystem of pervasive online tracking.

World Wide Web Consortium Works to Achieve Consensus on Do Not Track Standards—Especially When It Comes to Browser Defaults

Meanwhile, work in the World Wide Web Consortium (W3C) Tracking Protection Working Group (TPWG) continues. The W3C is a multi-stakeholder group of academics, thought leaders, companies, industry groups, and advocacy organizations like EFF (as an invited expert) working to create voluntary standards for the web. The TPWG charter, which would have expired by now, was extended another six months at the beginning of August.

Earlier this year, EFF, Mozilla, and Stanford’s Jonathan Mayer offered a compromise proposal that concedes to the online behavioral advertising industry a narrow scope of effect for DNT—mainly affecting “third parties” that consumers generally don’t know about —while subjecting such third parties to significant data collection restrictions. Our proposal would limit companies’ ability to collect a user’s browsing or reading history; companies could collect protocol data (like IP address and HTTP referrer) for a reasonable time, if they did not use unique ID cookies or their equivalents. Our proposal also conceded, however, that companies could collect and retain significantly more data for security purposes.

At a non-technical policy level, the online advertising industry has suggested that companies may be able to meaningfully tighten the scope of permitted uses for online behavioral data and the amount of time that data would be kept or retained. While these would be good steps for privacy, we believe more needs to be done at a technical level. We’re encouraged that there’s been some industry response on these technical issues.

These issues aren’t easy. Entire business models in the online advertising industry are built on the assumption that data about users’ online activities will be easily available. And of course the overall advertising ecosystem isn’t monolithic. “First parties” range from large social networks and search engines to news and blogging sites, and they can also have significant ability to observe users’ behavior on many different sites, e.g. social widgets like a Facebook “like” button. Third-party tracking entities can be large or small, while their economic incentives and financial and technical resources may differ significantly.

The compromise offered by Mozilla, Stanford, and EFF attempts to thread a difficult needle, balancing users’ need for privacy and industry interests in providing advertisements and protecting against security threats. We think it achieves the three principles outlined by Prof. Grimmelman in his testimony to Congress—namely, that is usable (users can set it in the browser with just a couple clicks), reliable (once the Do Not Track standard is set, there will be a recognized understanding of how websites should respond when they receive the Do Not Track signal) and allows for privacy innovation. This third part is essential—the Do Not Track standard we are working to create is one that allows for many new, privacy-protecting business models to flourish. As researchers Jonathan Mayer and Arvind Narayanan articulated in a recent blog, "A rigid use-based approach could lock in current advertising business practices, stifling innovation, or motivate some companies to bend the rules and justify tracking for an ever-expanding set of uses." The compromise agreement on Do Not Track, which limits data collection by third parties but doesn’t tell advertisers what types of ads they can show or limit new forms of future advertising models, provides a framework that’s good for innovation and privacy.

Related Updates

San Francisco, California—Face recognition—fast becoming law enforcement’s surveillance tool of choice—is being implemented with little oversight or privacy protections, leading to faulty systems that will disproportionately impact people of color and may implicate innocent people for crimes they didn’t commit, says an Electronic Frontier Foundation (EFF) ...

It should not be surprising that arguably the biggest mistake in Internet policy history is going to invoke a vast political response. Since the FCC repealed federal Open Internet Order in December, many states have attempted to fill the void. With a new bill that reinstates net neutrality protections, Oregon...

Last month, Congress reauthorized Section 702, the controversial law the NSA uses to conduct some of its most invasive electronic surveillance. With Section 702 set to expire, Congress had a golden opportunity to fix the worst flaws in the NSA’s surveillance programs and protect Americans’ Fourth Amendment rights...

President Donald Trump’s first State of the Union address last night was remarkable for two reasons: for what he said, and for what he didn’t say.
The president took enormous pride last night in claiming to have helped “extinguish ISIS from the face of the Earth.”
But he failed to...

State agencies in California are collecting and using more data now than they ever, and much of this data includes very personal information about California residents. This presents a challenge for agencies and the courts—how to make government-held data that’s indisputably of...

It’s Spain's turn to take a closer look at the practices of their local Internet companies, and how they treat their customers’ personal data.
Spain's ¿Quien Defiende Tus Datos? (Who Defends Your Data?) is a project of ETICAS Foundation, and is part of a region-wide initiative by...

It’s Spain's turn to take a closer look at the practices of their local Internet companies, and how they treat their customers’ personal data.
Spain's ¿Quien Defiende Tus Datos? (Who Defends Your Data?) is a project of ETICAS Foundation, and is part of a region-wide initiative by...

Sharing your personal fitness goals—lowered heart rates, accurate calorie counts, jogging times, and GPS paths—sounds like a fun, competitive feature offered by today’s digital fitness trackers, but a recent report from The Washington Post highlights how this same feature might end up revealing not just where you are, where...

Boston, Massachusetts—The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) urged a federal judge today to reject the Department of Homeland Security’s attempt to dismiss an important lawsuit challenging DHS’s policy of searching and confiscating, without suspicion or warrant, travelers’ electronic devices at U.S. borders.
EFF and...